A Logic for the Speci cation of Continuous Systems - CiteSeerX

A Logic for the Speci cation of  Continuous Systems Viktor Friesen Technische Universitat Berlin Forschungsgruppe Softwaretechnik (Sekr. FR5-6) Franklinstr. 28/29 D-10587 Berlin, Germany e-mail: [email protected]

Abstract. The paper proposes a rst-order logic for the speci cation of continuous components of hybrid systems. The particularity of the approach lies in its interpretation of individual variables not as functions over time or as point-based values, but as environment-based values. An environment-based value closely models the local behavior of a function de ned on a continuous time domain. The advantage of the approach is that it enables us to consider the derivation operator as an ordinary unary logical function. Thus, the logic is free from any built-in operators; they can all be de ned on the elements of the carrier set of environmentbased values. To facilitate the de nition of additional logical functions and predicates like limit, derivation of arbitrary order or continuity, the user is allowed to specify them in the intuitive notation of functions de ned on time. The semantics of the logic provides two lifting operators, which lift the functions and the predicates to the appropriate semantic spaces. These lifting operators do not violate the intuitive meaning of the introduced constructs. An outline of the proof of this fact is given.

1 Introduction A speci cation of a system usually determines a set of permitted system behaviors. If T is the considered time domain1 , V a nite set of system variables, and Val a set of possible values, then a state is an assignment of a value to each system variable and a behavior is an assignment of a state to each time point. The set of all states is denoted by  and the set of all system behaviors by BEH , i.e.  :=V ! Val and BEH :=T !  . With these de nitions, the task of a speci cation is to de ne an appropriate subset of BEH . To formally specify hybrid systems, powerful specialized description techniques for discrete and continuous parts of the system are needed. Also required 

This work is being funded as part of the KONDISK program of the German Research Foundation (DFG). 1 T is often chosen as a nite or in nite interval of real numbers R or as the natural numbers N.

are means for combining discrete and continuous components naturally. For more than twenty years, numerous logics and model-based languages have been available, which are tailored to the proper speci cation of discrete systems like VDM [7] or Z [11]. The central concepts on which these languages are based are state invariants and operations. The system is speci ed by describing a state invariant INV   and a nite set of operations o1 ; : : :; on , each of them denoting a binary relation on  . Roughly speaking, the invariant speci es the static, and the operations the dynamic, aspects of a system. The system variables are interpreted as elements of Val . The state invariant INV and the operations oi are speci ed using predicates on  and    , respectively, both formulated in predicate logic. In the case of real-time extensions of such formalisms, the user can additionally describe some time aspects of the system behavior, like the duration of an operation or the time the system remains in a particular state. Because ordinary predicate logic is used, the available toolkit can be extended by de ning supplementary functions and predicates, thus leading to exibility in the choice of the speci cation means, cf. [7, 11]. Continuous systems cannot be described in the same style, since their dynamics is not expressible by operations; instead, dierential equations are often used. These contain derivatives of state variables. Because the derivative of a function at a certain time point t cannot be determined if only the value of this function at t is known, the variables are usually interpreted not as elements of Val , as in the discrete case, but as functions T ! Val (cf. the topological approach of [8]) or I ! Val with a non-empty interval I  T (cf. Hybrid Temporal Logic [6], Hybrid Automata [1], (Extended) Duration Calculus [10]). In most of these approaches, the derivation is a built-in operator that may be applied only to system variables and not to arbitrary expressions because the latter may represent nondierentiable behavior. The possibilities for enlarging the existing speci cation means are very limited, especially compared with discrete speci cation languages. One of the reasons for this restriction is the diculty of guaranteeing the semantic compatibility of the newly introduced operators with the underlying semantics because the semantic space (often chosen as the set of piecewise dierentiable functions) is normally not closed against the user-de ned operators (cf. [10, p. 18]). From the point of view of logics, the derivation is a logical function, and equality is a logical predicate, so a dierential equation can be seen as an ordinary (atomic) logical formula. If an appropriate interpretation of the system variables can be found such that the derivation is de nable as an ordinary total logical function on this interpretation set, then the derivation can be removed from the set of built-in operators of a speci cation language and replaced by a conventional user interface, allowing the de nition of additional logical functions and predicates. In doing so, a substantial advantage with respect to the exibility of the speci cation language can be achieved because additional de nitions are not only restricted to derivation. In this paper, the Continuous Environment-Based Logic (CEL) is presented. The syntax of CEL is the syntax of the ordinary rst-order logic. The main par-

ticularity is the special interpretation of the individual variables as environmentbased values from the semantic space, called ValE . The state space of the system is thus equal to V ! ValE . On the one hand, this interpretation allows de nition of the derivation, the limit, the continuity, and other well-known notions of calculus as conventional total logical functions and predicates on the elements of ValE . As the semantic space is closed against all these user-de ned constructs and they are all total, each syntactic CEL-term has a well-de ned semantics. On the other hand, continuous systems can be speci ed using CEL, without explicitly mentioning the time variable and without interpreting the variables as functions of time, because the elements of ValE contain only local information. The paper is organized as follows. In Section 2, we introduce the logic CEL, describing in particular its syntax, two dierent interpretations of the syntax, and the relation between these interpretations. Section 3 presents examples of user-de ned functions and predicates and illustrates how they can be used to specify continuous systems. Some concluding remarks are given in Section 4.

2 The Logic CEL 2.1 Semantic Space

To motivate the structure of the environment-based values, we consider the following problem. Let f : R ! R be a function and t 2 R. Which information about f is necessary and sucient to decide the following questions: Is f continuous at t ? Does the limit (derivative) of f at t exist and, if so, what is its value? On the one hand, we obviously do not have to know the values of f on whole R. On the other hand, it is not enough to know only the value of f at t , i.e. f (t ). The knowledge of f in every "-environment of t is sucient, but for no concrete "-environment is it really necessary. So, roughly speaking, we can represent the local behavior of f around t by the collection of all functions matching pairwise on some "-environment of t . To formalize this idea, we de ne the set BF:=R !7 Val of basic functions, which play the role of f in the above motivation. Because in CEL we want to be able to de ne limit, derivation, continuity, and other similar environment-based notions as total functions and predicates on ValE and because such functions do not always yield a de ned value when de ned conventionally, we allow basic functions to be partial (denoted by !7 ). Next, we de ne the equivalence relation  on BF  R. (f1 ; t1)  (f2 ; t2 ) states that f1 and f2 behave equally in an "environment of t1 and t2 , respectively. (We use the syntax of Z [11] to express mathematics. C denotes the domain restriction of a function. (-a ; b)- stands for an open real-valued interval bounded by a and b . R>0 denotes the positive real numbers. The application of the auxiliary function Shift on (f ; x ) shifts to the right the basic function f for the value of x .)

 : (BF  R) $ (BF  R) 8 f1 ; f2 : BF; t1; t2 : R  (f1 ; t1 )  (f2 ; t2) , 9 " : R>0  (-t1 ? "; t1 + ")- C f1 = Shift ((-t2 ? "; t2 + ")- C f2 ; t1 ? t2 )

An environment-based value is represented by a function mapping each time point t 2 R to a set of all basic functions matching pairwise on some "-environment of t (dom f denotes the domain of f , P1 the set of non-empty subsets). We model the local behavior by all functions and for all points of time in order to avoid dierent representations for the same local behavior. An environmentbased value contains less information than a de nition of a function on any nonempty interval and more than a conventional point-based value. We do not require any analytical restrictions on the values of Val ; throughout this paper continuous systems are seen as the set of all systems de ned on a continuous time domain. ValE :=fev : R ! P1 BF j (8 t1 ; t2 : R  8 f1 : ev (t1 ); f2 : ev (t2 )  (f1 ; t1)  (f2 ; t2 ) ^ (8 f : BF  (f ; t1 )  (f1 ; t1 ) ) f 2 ev (t1 )))g

The auxiliary function CreateEnv : BF  R ! ValE , which is needed for later developments, gets a basic function and a time point as arguments, and yields the environment-based value characterized by this pair. Formally, it is (uniquely) de ned by CreateEnv (f ; t ):=( ev : ValE j f 2 ev (t )):

2.2 Syntax As mentioned above, the syntax of CEL does not dier from the syntax of ordinary rst-order logic. We specify it for the sake of completeness.

De nition 1 (individual variables, signature). We denote the (countable) set of individual variables by V . A signature S is a triple (FS ; PS ; S ), where FS is a nite or countable in nite set of function symbols, PS a nite or countable in nite set of predicate symbols with FS \ PS = ?, and S : PS [ FS ! N the arity function. A p 2 PS with S (p ) = n is called an n-ary predicate symbol, and an f 2 FS with (f ) = n an n-ary function symbol. If (f ) = 0, then we call f a constant.

De nition 2 (terms). The set TS of S-terms over a signature S is de ned as the smallest set with the following properties: { All individual variables v 2 V are terms. { All function symbols c 2 FS with arity 0 are terms. { If f 2 FS is an n -ary function symbol (n > 0) and t1; : : :; tn are terms, then f (t1 ; : : : ; tn ) is also a term.

De nition 3 (atomic formulas). The set of atomic formulas AtForS over a signature S is the smallest set with the following properties: 1. Every 0-ary predicate symbol p 2 PS is an atomic formula.

2. If p 2 P (n > 0) is an n -ary predicate symbol and t1 ; : : :; tn are terms, then p (t1 ; : : : ; tn ) is an atomic formula.

De nition 4 (formulas). The set of formulas ForS over a signature S is the smallest set with the following properties: 1. AtForS  ForS (each atomic formula is a formula). 2. Let A; B 2 ForS . Then (: A), (A ) B ) and (8 v  A) are elements of ForS . The parenthesis may be omitted according to the usual priority rules. We use the common logical abbreviations: A _ B stands for : A ) B , A ^ B for : (: A _ : B ), and 9 v  A for : 8 v  : A.

2.3 Environment-Based Interpretation The semantics of CEL is developed according to the same standard structural de nitions as the semantics of ordinary rst-order logic. The primary dierence is the interpretation of individual variables not on arbitrary carrier sets, but on the set ValE . Since we give another interpretation to the same syntax later (the so-called function-based interpretation, cf. Section 2.4), we mark the notions introduced in this section with an E. We denote the sets ValEn ! ValE and P(ValEn ) of n -ary functions and relations upon ValE for n 2 N 1 by FnE and PnE , respectively.

De nition 5 (E-interpretation). Let S be a signature. An E-Interpretation (environment-based interpretation) IE is de ned as follows: 1. IE assigns to each n -ary function symbol f with n > 0 an n -ary function on E-values, i.e. IE (f ) 2 FnE . 2. IE assigns to each constant c 2 FS an E-value, i.e. IE (c ) 2 ValE . 3. IE assigns to each n -ary predicate symbol p with n > 0 an n -ary relation on E-values, i.e. IE (p ) 2 PnE . 4. IE assigns to each 0-ary predicate p one of the Boolean values tt or .

De nition 6 (E-evaluation of terms). Let S be a signature and IE an Einterpretation of S . For each E-assignment : V ! ValE , we de ne the function IE : TS ! ValE as follows: 1. IE (v ):= (v ) for every v 2 V 2. IE (c ):=IE (c ) for each c 2 FS with (c ) = 0 3. IE (f (t1 ; : : :; tn )):=IE (f )( IE (t1 ); : : : ; IE (tn )) for n > 0, f 2 FS , S (f ) = n , t1 ; : : : ; t n 2 T S De nition 7 (E-evaluation of formulas). Let S be a signature, IE an Einterpretation of S , and an E-assignment of V . We de ne !IE ; : ForS ! ftt; g by structural induction over the construction of formulas as follows:



if ( IE (t1 ); : : : ; IE (tn )) 2 I (p ) !IE ; (p (t1 ; : : :; tn )):= tt otherwise for p 2 PS with S (p ) = n > 0, t1 ; : : :; tn 2 TS !IE ; (p ):=IE (p ), for p 2 PS with S (p ) = 0  2. !IE ; (: B ):= tt ifif !!IIE ; ; ((BB )) == tt E  !IE ; (B ) = tt and !IE ; (C ) =  3. !IE ; (B ) C ):= tt ifotherwise  for all ev 2 ValE !IE ; vev (B ) = tt holds 4. !IE ; (8 v  B ):= tt ifotherwise vev : V ! ValE is de ned as follows:  if x = v ev v (x ):= (ev x ) if x = 6 v De nition 8 (E-validity of formulas). Let S be a signature and IE an Einterpretation of S . The partial function !IE : ForS !7 ftt; g is de ned as follows: 8 tt if for all : V ! ValE !IE ; (A) = tt holds <  if for all : V ! ValE !IE ; (A) =  holds !IE (A):= : 1.

unde ned

otherwise

2.4 Function-Based Interpretation The elements of ValE have a rather complex structure, thus it would be very awkward to de ne all the functions and predicates the user may need for the speci cation of continuous behavior on the set ValE . The function-based interpretation presented in this section interprets the individual variables of CEL on basic functions. The function symbols are interpreted not as arbitrary functions f : BFn ! BF, but as admitted functions which preserve n (n is the extension of  to n -dimensional vectors of functions). The predicate symbols are interpreted as admitted predicates, de ned as subsets of BFn R which are closed against n . All these structures are much more familiar to the user, compared with their E-based counterparts. The result of an F-evaluation of a formula depends not only on the interpretation IF and an assignment , but | unlike E-interpretations | also on the current time point t . A formula is F-valid if it evaluates to true for all interpretations, assignments, and time points. Thus, compared with an E-interpretation, an F-interpretation is more intuitive but less abstract because of the explicit dependence on time. In Section 2.5, it will be shown that, under some circumstances, the E-validity and the F-validity are equivalent.

De nition 9 (admitted functions and predicates). The families of admitted functions (FnF j n 2 N 1 ) and admitted predicates (PnF j n 2 N 1 ) are de ned

as follows: { FnF :=fF : BFn ! BF j 8 f1 ; f2 : BFnn ; t1 ; t2 : R  (f1 ; t1 ) n (f2 ; t2) ) (F (f1 ); t1 )  (F (f2 ); t2 )g { PnF :=fP : P(BF n  R) j 8 f1 ; f2 : BF ; t1 ; t2 : R  (f1 ; t1 ) 2 P ^ (f1 ; t1 ) n (f2 ; t2 ) ) (f2 ; t2 ) 2 P g It can be shown that the family of admitted functions is closed against composition. More precisely, if F 2 FnF and G 2 FmF , then for each hl : BFn +m ?1 ! BF (l  n ) de ned by hl (f1 ; : : : ; fn +m ?1 ):=F (f1 ; : : : ; fl ?1 ; G (fl ; : : : ; fl +m ?1 ); fl +m ; : : : ; fn +m ?1 ); hl 2 FnF+m ?1 holds. Moreover, it can be shown that the sets PnF of admitted predicates are closed against union, intersection, and complement. De nition 10 (F-interpretation). Let S = (FS ; PS ; S ) be a signature. An F-interpretation (function-based interpretation) IF has the following properties: 1. IF assigns to each n -ary function symbol f with n > 0 an n -ary admitted function, i.e. IF (f ) 2 FnF . 2. IF assigns to each constant c 2 FS a constant basic function IF (c ) 2 BF. 3. IF assigns to each n -ary predicate symbol p with n > 0 an n -ary admitted relation, i.e. IF (p ) 2 PnF . 4. IF assigns to each 0-ary predicate symbol p one of the two Boolean values tt or . De nition 11 (F-evaluation of terms). Let S be a signature and IF an Finterpretation of S . For every F-assignment : V ! BF we de ne the function IF : TS ! BF as follows: 1. IF (v ):= (v ) for all v 2 V 2. IF (c ):=IF (c ) for all c 2 FS , S (c ) = 0 3. IF (f (t1 ; : : : ; tn )):=IF (f )( IF (t1 ); : : : ; IF (tn )) for n > 0, f 2 FS , S (f ) = n , t1 ; : : : ; t n 2 T S De nition 12 (F-evaluation of formulas). Let S be a signature, IF an Finterpretation of S , an F-assignment of V , and t 2 R. We de ne !IF ; ;t : ForS ! ftt; g by structural de nition over the construction of formulas as follows:  1. (( IF (T1 ); : : : ; IF (Tn )); t ) 2 I (p ) !IF ; ;t (p (T1 ; : : : ; Tn )):= tt ifotherwise for p 2 PS with S (p ) = n > 0, T1 ; : : : ; Tn 2 TS

!IF ; ;t (p ):=IF (p ) for p 2 PS with S (p ) = 0

2. 3.



; ;t (B ) =  !IF ; ;t (: B ):= tt ifif !!IIF ; ; F t (B ) = tt  if !IF ; ;t (B ) = tt and !IF ; ;t (C ) =  !IF ; ;t (B ) C ):= tt otherwise

 for all bf 2 BF !IF ; vbf ;t (B ) = tt holds !IF ; ;t (8 v  B ):= tt ifotherwise vbf : V ! BF is de ned as follows:  =v bf v (x ):= (xbf) ifif xx = 6 v De nition 13 (F-validity of formulas). Let S be a signature and IF an Finterpretation of S . The partial function !IF : ForS !7 ftt; g is de ned as follows: 8 tt if for all : V ! BF and > > > > for all t 2 R !IF ; ;t (A) = tt holds <  if for all : V ! BF and !IF (A):= > > > > : unde ned otherwise for all t 2 R !IF ; ;t (A) =  holds 4.

2.5 Relation Between E-Interpretations and F-Interpretations

As mentioned above, under special circumstances the E-validity and the Fvalidity coincide. In this section, we de ne the notion of compatible interpretations and show that under such interpretations this assertion is true. Before doing this we de ne the lifting operators, which allow the de nition of logical constructs using basic functions BF instead of ValE , thus switching from a complex to a much simpler structure. These BF-de nitions can then be implicitly lifted to ValE . The operators LFpn and LPpn , de ned below, lift point-based functions and predicates de ned on R, like +, ?,
, 0 IE (f ) = LFn (IF (f )) 3. For all p 2 PS with S (p ) = 0 IE (p ) = IF (p ) 4. For all p 2 PS with S (p ) = n > 0 IE (p ) = LPn (IF (p )) The de nition states that a 0-ary function symbol c is mapped by IE on an E-value that represents the constant behavior of the function IF (c ). For each Finterpretation there exists (exactly) one compatible E-interpretation. The reverse is not true, because an E-interpretation can assign to 0-ary function symbols Evalues, which does not constitute constant behavior. Therefore, there are more E-interpretations than F-interpretations. The lifting operators LFn and LPn allow the de nition of logical E-constructs in the straightforward manner. But so far there is no guarantee that the meaning

of E-constructs de ned in this way is preserved by the lifting operators. Hence, we cannot execute the usual logical tasks, like formula manipulation or deduction, in E-interpreted CEL with the F-meaning of the constructs in mind. The following theorem shows that, under compatible interpretations, the F-validity and the E-validity are equivalent, thus proving the correctness of using lifted Fconstructs in E-interpretations (we need both claims because !IF and !IE may be unde ned (cf. Def. 13 and 8)).

Theorem 17. Let S be a signature, IF an F-interpretation of S, IE an Einterpretation of S that is compatible with IF , and A an S-formula. Then, the following holds: 1. !IF (A) = tt if and only if !IE (A) = tt 2. !IF (A) =  if and only if !IE (A) =  Proof (sketch) 1. Let 0 ; 00 be F-assignments of V , T 2 TS a term, and t 0; t 00 2 R. Using structural induction, it can be proved that  distributes through terms and formulas under F-interpretations: (a) (8 v : V  ( 0 (v ); t 0 )  ( 00 (v ); t 00 )) ) ( I0F (T ); t 0 )  ( I00F (T ); t 00 ) (b) (8 v : V  ( 0 (v ); t 0 )  ( 00 (v ); t 00 )) ) !IF ; 0 ;t 0 (A) = !IF ; 00 ;t 00 (A) With these results, it can be shown that, if a formula F-evaluates to true for one xed time point and for all F-assignments, then this formula is F-valid:

(9 t : R  8 : V ! BF  !IF ; ;t (A) = tt) , !IF (A) = tt The analogous result holds for wrong formulas. 2. Let be an F-assignment of V , T 2 TS a term, and t 2 R. t : V ! ValE denotes the E-assignment corresponding to and t . It is de ned by t (v ):=CreateEnv ( (v ); t ). The relation between corresponding assignments under compatible interpretations regarding terms and formulas is expressed by the following two facts, which can be proved by structural induction over the construction of terms and formulas, respectively: (a) CreateEnv ( IF (T ); t ) = ItE (T ) (b) !IF ; ;t (A) = !IE ; t (A) 3. With the results from 1. and 2., the assertions of the theorem can be proved in a few steps.

3 Speci cation Examples In this section, we illustrate how the logic CEL can be used to describe continuous systems. As CEL does not contain any built-in functions and predicates, we must rst introduce the required concepts. This is done in Section 3.1. In Section 3.2, these concepts are employed to specify two small continuous systems using the syntax of ZimOO [4], an object-oriented speci cation language for hybrid systems whose semantics is based on CEL.

3.1 User-De ned Concepts

When specifying continuous systems with CEL, the E-interpretation is assumed because it is much more abstract compared with the F-interpretation. However, it would be very awkward to de ne all the functions and predicates the user may need directly on the set ValE . Fortunately, admitted functions FnF and predicates PnF (cf. Def. 9), together with the lifting operators LFn and LPn (cf. Def. 15), provide a sound interface to the E-interpretation of CEL. Thus, we are allowed to specify the required logical constructs as elements of FnF or PnF in an intuitively comprehensive manner. When used in the speci cations of continuous systems, these functions and predicates are implicitly lifted to elements of FnE or PnE , respectively. Theorem 17 ensures that the intuitive meaning is not violated. Here, we use the syntax of Z instead of conventional mathematics to introduce logical constructs.

Functions and Predicates The construct introduced rst is the unary predicate P which characterizes points with de ned local behavior (== is the definition symbol). const describes constant local behavior. It is obvious that P and const are admitted predicates. Thus, their liftings can be used in continuous speci cations. P == ff : BF; t : R j t 2 dom f g const == ff : BF; t : R j (9 " : R>0 ; v : Val  (-t ? "; t + ")-  dom f ^ ran((-t ? "; t + ")- C f ) = fv g)g The next three functions de ne the limit from the left, the limit from the right, and the \ordinary" limit. As the set Val must meet certain requirements to allow the de nition of limit (it should be at least a metric space), we interpret Val henceforth as the set of real numbers. In the de nition, we use the type seq1 and the function limseq , which are not de ned here. They denote the type of in nite sequences and the limit of sequences, respectively. We consider a function to be a set of pairs | a view familiar to Z users. It can easily be proved that all the three limits are admitted functions. ?? ! ? ? !

; ; : BF ! BF 8 f!?: BF  f = fx ; l : R j (let SEC == seq1 ft : dom f j t < x g  (9 s : SEC  limseq s = x ) ^ (8 s : SEC  limseq s = x ) limseq ( n : N1  f (s n )) = l ))g ? f = fx ; l : R j (let SEC == seq1 ft : dom f j t > x g  (9 s : SEC  limseq s = x ) ^ (8 s : SEC  limseq s = x ) limseq ( n : N1  f (s n )) = l ))g ! ?? ! ? ? f =f \f

The admitted unary predicates L and L characterize local behavior with existing limit from the left or from the right, respectively. The unary predicates ! C , C , and C describe local behavior that is continuous from the left, continuous from the right, and (merely) continuous, respectively. !

L! L ! C C C

== ff : BF; == ff : BF; == ff : BF; == f!f : BF; == C \ C

! ?

t : R j t 2 dom f? g t : R j t 2 dom f g ! ? ! ? t : R j t 2 dom f ^ t 2 dom f? ^ f? (t ) = f (t )g t : R j t 2 dom f ^ t 2 dom f ^ f (t ) = f (t )g

The notion of limit can now be used to de ne the derivation operator. It is a total function, so it can be proved that it is an admitted one. _ : BF ! BF 8 f : BF  f_ = ft ; d : R j (let DQ == fh ; w : R j h 6= 0 ^ ft ; t + h g  dom f ^ w = (f (t + h ) ? f (t ))=h g ???!? ???!?  0 2 dom DQ ^ DQ (0) = d )g The unary predicate D describes dierentiable local behavior. D == ff : BF; t : R j t 2 dom f_ g The admitted binary predicate =co states that, if the local behavior represented by the right-hand side of =co is continuous, then the left-hand side describes de ned local behavior. =co is not common in conventional analysis, but it has proved very helpful when speci cations contain explicit dierential equations because =co can manage discontinuities in the right-hand side of the equation. =co : P((BF  BF)  R) 8 f1 ; f2 : BF; t : R  ((f1 ; f2 ); t ) 2 =co , (P (f1 ; t ) ^ P (f2 ; t ) ^ f1 (t ) = f2 (t )) _ : C (f2 ; t )

Data Types Data types are subsets of ValE which constitute total local behavior. They can be de ned using unary admitted predicates. First, we de ne the auxiliary operator EnvPoint which takes a unary predicate pr as its argument and yields another unary predicate. A pair (f ; t ) ful lls this resulting predicate if and only if a neighborhood of t exists such that, for every t 0 from this neighborhood, (f ; t 0) ful lls the original predicate pr . Note,

that (f ; t ) is not required to ful ll pr . EnvPoint maps admitted predicates to admitted ones. EnvPoint : P(BF  R) ! P(BF  R) 8 pr : P(BF  R)  EnvPoint pr = ff : BF; t : R j : 9 T : seq1 (R n ft g)  limseq T = t ^ (8 i : dom T  (f ; T i ) 62 pr )g

The most general data type BASIC contains all total local behaviors. BASIC == P \ EnvPoint (P )

The following de nition introduces the data types used in the speci cations in Section 3.2. LIM denotes the total local behaviors with existing limits from the left and the right. The frequently used data type SEM characterizes piecewise dierentiable local behavior, i.e. local behavior without accumulation of nondierentiable points. CONT and DIFF denote continuous and dierentiable behavior, respectively. The data type CONST describes the constant behavior. STEP models step functions de ned on a continuous time domain. Finally, CLOCK describes dierentiable local behavior with the gradient 1. LIM SEM CONT DIFF CONST STEP CLOCK

== BASIC \ L \ L == LIM \ EnvPoint (D ) == SEM \ C == SEM \ D == BASIC \ const ! == BASIC \ EnvPoint (const ) \ ( C [ C ) == ff : BF; t : R j (f ; t ) 2 DIFF ^ f_ (t ) = 1g !

3.2 Examples of Continuous Systems As mentioned above, the logic CEL was used to describe the semantics of the continuous classes of ZimOO [4], an object-oriented speci cation language for hybrid systems. ZimOO is based on Object-Z [3], an object-oriented extension of Z [11]. It extends Object-Z, allowing descriptions of the discrete and continuous features of a system in a common formalism. ZimOO supports three dierent kinds of classes: discrete, continuous, and hybrid. We use the syntax of the continuous ZimOO classes to give some examples of CEL-speci cations. Axioms are used to specify the state space of continuous ZimOO classes. They are formulated using the syntax of rst-order logic and interpreted as CEL-formulas, the E-interpretation being assumed. There are no built-in logical functions or predicates in the kernel of ZimOO. Instead, we use the functions and predicates de ned in the previous subsection (as justi ed at the beginning

of Section 3.1, the functions and predicates de ned there may be used in Einterpreted CEL-formulas and therefore in ZimOO classes). Additionally, we use the common point-based functions and predicates de ned on reals like +, ?, , etc. They can all be lifted to FnE or PnE by the composition of LFpn and LFn or by the composition of LPpn and LPn , respectively. In particular, the equality on reals is lifted to F2E . Note that, consequently, we use a point-based equality which depends only on the current real value of the expressions involved, neglecting their local environments.

Cat and Mouse The cat-and-mouse-problem [9] is a simple benchmark from

the area of real-time and hybrid systems. We specify it here to demonstrate the description possibilities of languages based on CEL (cf. the class CatAndMouse ). The example deals with a cat trying to catch a mouse, which in turn attempts to escape into a hole. The problem is one-dimensional, i.e. the cat, the mouse, and the hole are on a straight line, the cat and mouse moving along this line. Initially, the mouse, which is located between the cat and the hole at distance m0 from the hole, starts running towards the hole at a constant velocity vm . tc time units later, the cat, which is positioned at c0 , starts chasing the mouse at the constant velocity vc . All these constants are declared as real numbers in the axiomatic schema of CatAndMouse . CatAndMouse m0 ; c0 : R>0 vm ; vc : R 0 then vc else 0

INIT t =0 xm = m0 xc = c0 res = 1

The state space and the dynamics of the system are described in the state schema of CatAndMouse . As the example contains an explicit delay, we need a clock variable t . The current positions of the mouse and the cat are denoted by the variables xm and xc , respectively. The result of the \race" is encoded in the variable res . res = 1 means the mouse wins, res = 2 means the cat is the winner. When the constants tc , m0 , 1, 2 etc. are used in the state schema, their values are implicitly lifted to ValE , i.e. to CONST . The second axiom states

that the value of res , which initially equals 1, can change if and only if the cat overtakes the mouse before it disappears into the hole. The last two axioms can be interpreted as dierential equations describing the movement of the mouse and the cat. Depending on the value of res , xm behaves according to x_m = vm or x_m = x_c . =co ensures that if res does not jump and x_c represents de ned local behavior, then the derivative of xm exists and ful lls one of the two dierential equations. In jump points of res and in points where xc is not dierentiable, the value of xm is uniquely determined by the continuity of xm .

Billiards As a further example, we specify the billiards game from [2]. The

billiard table is assumed to have the length L and the width W . Friction is neglected, i.e. we assume the absolute values of the ball velocities vx and vy in the x - and y -directions to be constant. The current position of the ball is described by the pair (x ; y ), the velocity directions by dx and dy ; the current velocity is therefore given by (dx
vx ; dy
vy ). The rst implication in the state schema states that the x -velocity vx may only change its direction dx if a collision with one of the x -borders occurs. The third implication ensures that such a change takes place when an x -border is reached. The second and the fourth implications describe the same facts for the y -direction. Note the use of the limit operators in the last two implications. They can be applied not only to individual variables but also to expressions because the (lifted) multiplication operator \
" is total on ValE  ValE , thus yielding a proper element of ValE which can be further processed by the limit operators. Billiards L; W ; vx ; vy : R>0 x ; y : CONT dx ; dy : STEP (dx = ?1 _ dx = 1) ^ (dy = ?1 _ dy = 1) x_ =co dx
vx y_ =co dy
vy : C dx ) x = 0 _ x = L : C dy ) y = 0 _ y???? = ?W ?????! x = 0 _ x = L ) dx ????
vx?= ?dx?????
vx! y = 0 _ y = W ) dy
vy = ?dy
vy

INIT 0<x